Exam4Training

Which two outbound network security group (NSG) rules should you create?

You have an Azure virtual network named Vnet1.

You need to ensure that the virtual machines in Vnet1 can access only the Azure SQL resources in the East US Azure region. The virtual machines must be prevented from accessing any Azure Storage

resources.

Which two outbound network security group (NSG) rules should you create? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

A. an allow rule that has the IP address range of Vnet1 as the source and destination of Sq1.EastUS

B. a deny rule that has a source of VirtualNetwork and a destination of Sq1

C. a deny rule that has a source of VirtualNetwork and a destination of 168.63.129.0/24

D. a deny rule that has the IP address range of Vnet1 as the source and destination of Storage

Answer: A, D

Explanation:

To ensure that the virtual machines in Vnet1 can access only the Azure SQL resources in the East US Azure region and are prevented from accessing any Azure Storage resources, you should create the following outbound network security group (NSG) rules:

A. an allow rule that has the IP address range of Vnet1 as the source and destination of Sql.EastUS

This rule will explicitly allow traffic from the virtual machines in Vnet1 to the Azure SQL resources located in the East US region. When specifying the destination, you would use the service tag for Azure SQL in the East US region, which is designed to capture the Azure SQL resources in that region.

D. a deny rule that has the IP address range of Vnet1 as the source and destination of Storage

This rule will deny all traffic from Vnet1 to Azure Storage accounts. Similar to the allow rule for Azure SQL, you would use the service tag for Azure Storage, which encompasses all Azure Storage services, to deny access.

In NSG rules, deny rules take precedence over allow rules if they have a lower priority number (priority is inversely related to the rule’s number – lower numbers have higher priority). Therefore, ensure that the deny rule for Azure Storage has a lower priority number than the allow rule for Azure SQL to enforce the desired restrictions.

The service tags ‘Sql.EastUS’ and ‘Storage’ are used in NSG rules to represent the Azure services in a particular region and Azure Storage respectively, allowing for the creation of rules that apply to these services without needing to specify individual IP addresses.

Latest AZ-700 Dumps Valid Version with 59 Q&As

Latest And Valid Q&A | Instant Download | Once Fail, Full Refund

Exit mobile version